[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836321#comment-16836321
]
Jacques Le Roux commented on OFBIZ-10187:
-
Mmm, finally it's not as deprecated as I thought. Because [I looked at a
fork|https://github.com/andresriancho/owaspantisamy] when I look at what I
think it's the original I see it's maintained:
https://github.com/nahsra/antisamy
https://github.com/nahsra/antisamy/issues/10
Still we are actually using https://github.com/OWASP/java-html-sanitizer which
is clearly well maintianed, and turning to antisamy does not seem to be better
for us.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836323#comment-16836323 ] Jacques Le Roux commented on OFBIZ-10054: - See my last comment about AntiSamy API in OFBIZ-10187. It clarifies that we still prefer to use https://github.com/OWASP/java-html-sanitizer > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11017) In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO'
Pierre Smits created OFBIZ-11017: Summary: In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO' Key: OFBIZ-11017 URL: https://issues.apache.org/jira/browse/OFBIZ-11017 Project: OFBiz Issue Type: Bug Components: accounting Affects Versions: Release Branch 16.11, Release Branch 15.12, Trunk, Release Branch 14.12, Release Branch 13.07, Release Branch 17.12, Release Branch 18.12 Reporter: Pierre Smits Many organisational units in the demo data set are type-casted wrongly as 'INTERNAL_ORGANIZATIO', in stead of e.g. department, team, etc. This occurs in: * AccountingDemoData.xml * MarketingDemoData.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11017) In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO'
[ https://issues.apache.org/jira/browse/OFBIZ-11017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11017: - Attachment: OFBIZ-11017-DemoData.patch > In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO' > -- > > Key: OFBIZ-11017 > URL: https://issues.apache.org/jira/browse/OFBIZ-11017 > Project: OFBiz > Issue Type: Bug > Components: accounting, marketing >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Attachments: OFBIZ-11017-DemoData.patch > > > Many organisational units in the demo data set are type-casted wrongly as > 'INTERNAL_ORGANIZATIO', in stead of e.g. department, team, etc. > This occurs in: > * AccountingDemoData.xml > * MarketingDemoData.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-11017) In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO'
[ https://issues.apache.org/jira/browse/OFBIZ-11017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits reassigned OFBIZ-11017: Assignee: Pierre Smits > In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO' > -- > > Key: OFBIZ-11017 > URL: https://issues.apache.org/jira/browse/OFBIZ-11017 > Project: OFBiz > Issue Type: Bug > Components: accounting, marketing >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > > Many organisational units in the demo data set are type-casted wrongly as > 'INTERNAL_ORGANIZATIO', in stead of e.g. department, team, etc. > This occurs in: > * AccountingDemoData.xml > * MarketingDemoData.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11017) In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO'
[ https://issues.apache.org/jira/browse/OFBIZ-11017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11017: - Component/s: marketing > In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO' > -- > > Key: OFBIZ-11017 > URL: https://issues.apache.org/jira/browse/OFBIZ-11017 > Project: OFBiz > Issue Type: Bug > Components: accounting, marketing >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Priority: Major > > Many organisational units in the demo data set are type-casted wrongly as > 'INTERNAL_ORGANIZATIO', in stead of e.g. department, team, etc. > This occurs in: > * AccountingDemoData.xml > * MarketingDemoData.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836331#comment-16836331
]
Jacques Le Roux commented on OFBIZ-10187:
-
h3. Sorry for the digressions in both Jiras below. I needed to clear my mind
and put notes somewhere...
A last note, in OFBIZ-10054 I wrote
{quote}
Actually there are 2 ways used in OFBiz:
# To prevent saving stored XSS scriptings in DB we reject them before. This is
achieved with UtilCodec.checkStringForHtmlStrictNone(). Most of the possible
XSS attacks rely on the less-than (<) and greater-than (>) symbols. But as
shown with the current issue there are other types of possibles attacks.
# Filter HTML texts and remove the unwanted parts. This is done using policies
with HtmlEncoder::sanitize. The default policy is not much permissive. Since
OFBIZ-10187 it's easier to create own more permissive policies. An example
inspired by eBay is available OOTB.. To be safer a policy inspired by Slashdot
could be used. Anyway it's up to you... I should note here though that
currently the AntiSamy API is not used in OFBiz. This is something that still
need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for
them to adapt from XML to Java...
These 2 ways (reject or filter) are somehow discussed here:
https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md
{quote}
The most interesting part is at the bottom and says
{quote}
One use case for validation seems to be to allow a comment edit window to warn
about markup that violates a policy instead of dumping a sanitized output on
them and asking them to look past cosmetic differences like changes in case and
entity encoding.
Knowing that an input is invalid does not help narrow down the problematic part
of the input.
This use case seems to be addressable via
String normalizedButNotFiltered = policyThatAllowsEverything.sanitize(input);
String filtered = policy.sanitize(input);
boolean violatedPolicy = !normalizedButNotFiltered.equals(filtered);
and those two can be structurally compared to narrow down the problematic part.
{quote}
I will have nother look at OFBIZ-10054 and decide if we can't use this way. I
1st wanted to make it works and handling js events in a policy is another story
for another Jira...
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
[jira] [Comment Edited] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836331#comment-16836331
]
Jacques Le Roux edited comment on OFBIZ-10187 at 5/9/19 12:24 PM:
--
h3. Sorry for the digressions in both Jiras below. I needed to clear my mind
and put notes somewhere...
A last note, in OFBIZ-10054 I wrote
{quote}
Actually there are 2 ways used in OFBiz:
# To prevent saving stored XSS scriptings in DB we reject them before. This is
achieved with UtilCodec.checkStringForHtmlStrictNone(). Most of the possible
XSS attacks rely on the less-than (<) and greater-than (>) symbols. But as
shown with the current issue there are other types of possibles attacks.
# Filter HTML texts and remove the unwanted parts. This is done using policies
with HtmlEncoder::sanitize. The default policy is not much permissive. Since
OFBIZ-10187 it's easier to create own more permissive policies. An example
inspired by eBay is available OOTB.. To be safer a policy inspired by Slashdot
could be used. Anyway it's up to you... I should note here though that
currently the AntiSamy API is not used in OFBiz. This is something that still
need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for
them to adapt from XML to Java...
These 2 ways (reject or filter) are somehow discussed here:
https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md
{quote}
The most interesting part is at the bottom and says
{quote}
One use case for validation seems to be to allow a comment edit window to warn
about markup that violates a policy instead of dumping a sanitized output on
them and asking them to look past cosmetic differences like changes in case and
entity encoding.
Knowing that an input is invalid does not help narrow down the problematic part
of the input.
This use case seems to be addressable via
{code:java}
String normalizedButNotFiltered = policyThatAllowsEverything.sanitize(input);
String filtered = policy.sanitize(input);
boolean violatedPolicy = !normalizedButNotFiltered.equals(filtered);
{code}
and those two can be structurally compared to narrow down the problematic part.
{quote}
I will have nother look at OFBIZ-10054 and decide if we can't use this way. I
1st wanted to make it works and handling js events in a policy is another story
for another Jira...
was (Author: jacques.le.roux):
h3. Sorry for the digressions in both Jiras below. I needed to clear my mind
and put notes somewhere...
A last note, in OFBIZ-10054 I wrote
{quote}
Actually there are 2 ways used in OFBiz:
# To prevent saving stored XSS scriptings in DB we reject them before. This is
achieved with UtilCodec.checkStringForHtmlStrictNone(). Most of the possible
XSS attacks rely on the less-than (<) and greater-than (>) symbols. But as
shown with the current issue there are other types of possibles attacks.
# Filter HTML texts and remove the unwanted parts. This is done using policies
with HtmlEncoder::sanitize. The default policy is not much permissive. Since
OFBIZ-10187 it's easier to create own more permissive policies. An example
inspired by eBay is available OOTB.. To be safer a policy inspired by Slashdot
could be used. Anyway it's up to you... I should note here though that
currently the AntiSamy API is not used in OFBiz. This is something that still
need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for
them to adapt from XML to Java...
These 2 ways (reject or filter) are somehow discussed here:
https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md
{quote}
The most interesting part is at the bottom and says
{quote}
One use case for validation seems to be to allow a comment edit window to warn
about markup that violates a policy instead of dumping a sanitized output on
them and asking them to look past cosmetic differences like changes in case and
entity encoding.
Knowing that an input is invalid does not help narrow down the problematic part
of the input.
This use case seems to be addressable via
String normalizedButNotFiltered = policyThatAllowsEverything.sanitize(input);
String filtered = policy.sanitize(input);
boolean violatedPolicy = !normalizedButNotFiltered.equals(filtered);
and those two can be structurally compared to narrow down the problematic part.
{quote}
I will have nother look at OFBIZ-10054 and decide if we can't use this way. I
1st wanted to make it works and handling js events in a policy is another story
for another Jira...
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04,
[jira] [Assigned] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
[
https://issues.apache.org/jira/browse/OFBIZ-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pawan Verma reassigned OFBIZ-11010:
---
Assignee: Pawan Verma
> Touch F8 in webpos does not work and generate an error
> --
>
> Key: OFBIZ-11010
> URL: https://issues.apache.org/jira/browse/OFBIZ-11010
> Project: OFBiz
> Issue Type: Bug
> Components: webpos
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Pawan Verma
>Priority: Major
>
> While working on OFBIZ-9153 I could not reproduce the same error either in
> R16 or trunk but got:
> {noformat}
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
> |E| Failure in create operation for entity [OrderHeader]:
> org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
> [GenericEntity:OrderHeader][agr
> eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
> 12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
> te,2019-04-30
> 12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
> java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
>
> 12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
> etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
> ng)] (SQL Exception while executing the following:INSERT INTO
> OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
> SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
> PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
> EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
> BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
> AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
> NEEDS_INVENTORY_ISSUANCE, IS_R
> USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
> INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP,
> CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
> caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
> (POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
> transaction.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
> |I| Transaction rollback only not set, rollback only is already set.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
> |E| Cannot create OrderHeader entity; problems with insert
> {noformat}
> After selecting
> # GZ-1005 '.NIT Gizmo ',
> # paying cash using the F3 button (also there it's does not work very well if
> you don't put the right amount from start, but that's another hair of the yak)
> # checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Closed] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
[
https://issues.apache.org/jira/browse/OFBIZ-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-11010.
---
Resolution: Fixed
Fix Version/s: 18.12.01
16.11.06
17.12.01
Thanks Pawan,
Your patch is in
trunk r1859012
R18 r1859013
R17 r1859014
R16 r1859016
> Touch F8 in webpos does not work and generate an error
> --
>
> Key: OFBIZ-11010
> URL: https://issues.apache.org/jira/browse/OFBIZ-11010
> Project: OFBiz
> Issue Type: Bug
> Components: webpos
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments: OFBIZ-11010.patch
>
>
> While working on OFBIZ-9153 I could not reproduce the same error either in
> R16 or trunk but got:
> {noformat}
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
> |E| Failure in create operation for entity [OrderHeader]:
> org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
> [GenericEntity:OrderHeader][agr
> eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
> 12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
> te,2019-04-30
> 12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
> java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
>
> 12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
> etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
> ng)] (SQL Exception while executing the following:INSERT INTO
> OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
> SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
> PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
> EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
> BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
> AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
> NEEDS_INVENTORY_ISSUANCE, IS_R
> USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
> INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP,
> CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
> caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
> (POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
> transaction.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
> |I| Transaction rollback only not set, rollback only is already set.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
> |E| Cannot create OrderHeader entity; problems with insert
> {noformat}
> After selecting
> # GZ-1005 '.NIT Gizmo ',
> # paying cash using the F3 button (also there it's does not work very well if
> you don't put the right amount from start, but that's another hair of the yak)
> # checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Assigned] (OFBIZ-11017) In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO'
[ https://issues.apache.org/jira/browse/OFBIZ-11017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-11017: --- Assignee: Jacques Le Roux (was: Pierre Smits) > In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO' > -- > > Key: OFBIZ-11017 > URL: https://issues.apache.org/jira/browse/OFBIZ-11017 > Project: OFBiz > Issue Type: Bug > Components: accounting, marketing >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-11017-DemoData.patch > > > Many organisational units in the demo data set are type-casted wrongly as > 'INTERNAL_ORGANIZATIO', in stead of e.g. department, team, etc. > This occurs in: > * AccountingDemoData.xml > * MarketingDemoData.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11017) In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO'
[ https://issues.apache.org/jira/browse/OFBIZ-11017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836423#comment-16836423 ] Jacques Le Roux commented on OFBIZ-11017: - Thanks Pierre, This makes sense to me, are we sure changing that will not have side effects? > In demo data many parties are incorrectly set with role 'INTERNAL_ORGANIZATIO' > -- > > Key: OFBIZ-11017 > URL: https://issues.apache.org/jira/browse/OFBIZ-11017 > Project: OFBiz > Issue Type: Bug > Components: accounting, marketing >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-11017-DemoData.patch > > > Many organisational units in the demo data set are type-casted wrongly as > 'INTERNAL_ORGANIZATIO', in stead of e.g. department, team, etc. > This occurs in: > * AccountingDemoData.xml > * MarketingDemoData.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
[
https://issues.apache.org/jira/browse/OFBIZ-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836346#comment-16836346
]
Jacques Le Roux commented on OFBIZ-11010:
-
Thanks Pawan,
Missed that indeed :) I'll shortly commit...
> Touch F8 in webpos does not work and generate an error
> --
>
> Key: OFBIZ-11010
> URL: https://issues.apache.org/jira/browse/OFBIZ-11010
> Project: OFBiz
> Issue Type: Bug
> Components: webpos
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Attachments: OFBIZ-11010.patch
>
>
> While working on OFBIZ-9153 I could not reproduce the same error either in
> R16 or trunk but got:
> {noformat}
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
> |E| Failure in create operation for entity [OrderHeader]:
> org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
> [GenericEntity:OrderHeader][agr
> eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
> 12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
> te,2019-04-30
> 12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
> java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
>
> 12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
> etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
> ng)] (SQL Exception while executing the following:INSERT INTO
> OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
> SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
> PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
> EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
> BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
> AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
> NEEDS_INVENTORY_ISSUANCE, IS_R
> USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
> INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP,
> CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
> caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
> (POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
> transaction.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
> |I| Transaction rollback only not set, rollback only is already set.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
> |E| Cannot create OrderHeader entity; problems with insert
> {noformat}
> After selecting
> # GZ-1005 '.NIT Gizmo ',
> # paying cash using the F3 button (also there it's does not work very well if
> you don't put the right amount from start, but that's another hair of the yak)
> # checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-9997) Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam
[ https://issues.apache.org/jira/browse/OFBIZ-9997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-9997: --- Affects Version/s: (was: Trunk) Release Branch 18.12 Release Branch 17.12 Release Branch 16.11 Priority: Major (was: Trivial) Fix Version/s: (was: 17.12.01) Issue Type: Bug (was: Improvement) > Replace request-redirect w/ no redirect-param attribute by > request-redirect-noparam > --- > > Key: OFBIZ-9997 > URL: https://issues.apache.org/jira/browse/OFBIZ-9997 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-9997.patch > > > This follows the discussion at http://markmail.org/message/sbfdlhntdzziqeyz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-9997) Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam
[ https://issues.apache.org/jira/browse/OFBIZ-9997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-9997: --- Attachment: OFBIZ-9997.patch > Replace request-redirect w/ no redirect-param attribute by > request-redirect-noparam > --- > > Key: OFBIZ-9997 > URL: https://issues.apache.org/jira/browse/OFBIZ-9997 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Trivial > Fix For: 17.12.01 > > Attachments: OFBIZ-9997.patch > > > This follows the discussion at http://markmail.org/message/sbfdlhntdzziqeyz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-9997) Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam
[ https://issues.apache.org/jira/browse/OFBIZ-9997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836671#comment-16836671 ] Jacques Le Roux commented on OFBIZ-9997: [^OFBIZ-9997.patch] reverts the changes above. I need to double check before reverting (commit) > Replace request-redirect w/ no redirect-param attribute by > request-redirect-noparam > --- > > Key: OFBIZ-9997 > URL: https://issues.apache.org/jira/browse/OFBIZ-9997 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Trivial > Fix For: 17.12.01 > > Attachments: OFBIZ-9997.patch > > > This follows the discussion at http://markmail.org/message/sbfdlhntdzziqeyz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-9537) In case of request redirect context filter override the redirect parameter
[
https://issues.apache.org/jira/browse/OFBIZ-9537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-9537:
---
Summary: In case of request redirect context filter override the redirect
parameter (was: In case of requzst redirect context filter override the
redirect parameter)
> In case of request redirect context filter override the redirect parameter
> --
>
> Key: OFBIZ-9537
> URL: https://issues.apache.org/jira/browse/OFBIZ-9537
> Project: OFBiz
> Issue Type: Bug
>Affects Versions: Trunk, 16.11.03
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
>Priority: Major
> Fix For: 17.12.01
>
> Attachments: OFBIZ-9537.patch, OFBIZ-9537.patch
>
>
> In case of request redirect ContextFilter override the redirect parameter
> Like if you use following pattern
> {code}
>
>
>
>
>
>
>
>
> {code}
> In this case service creates new workEffort and put the newly created
> workEffortId in requestAttribute,
> but in response we are redirecting parentWorkEffortId as workEffortId,
> so in this case context filter override the workEffortId that passed as
> redirect parameter, and replace it with newly created workEffortId.
> This is due to restoring all the redirected parameter instead of default one.
> Need to restore only success/error message so redirected page can display
> previous request's error msg etc.
> This is handled in RequestHandler.java.
> As in case of request redirect we pass the redirect parameter name so instead
> of restoring all the previous redirected parameter restore only error/success
> message related parameter.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Closed] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-11009. --- Resolution: Fixed Fix Version/s: 18.12.01 16.11.06 17.12.01 Thanks Ingo, Fixed in trunk r1859033 R18 r1859034 R17 r1859035 R16 r1859036 Now we need to check all changes done for OFBIZ-9997... > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-11009: --- Assignee: Jacques Le Roux > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Assignee: Jacques Le Roux >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-9537) In case of requzst redirect context filter override the redirect parameter
[
https://issues.apache.org/jira/browse/OFBIZ-9537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-9537:
---
Summary: In case of requzst redirect context filter override the redirect
parameter (was: In case of reqeust redirect context filter override the
redirect parameter)
> In case of requzst redirect context filter override the redirect parameter
> --
>
> Key: OFBIZ-9537
> URL: https://issues.apache.org/jira/browse/OFBIZ-9537
> Project: OFBiz
> Issue Type: Bug
>Affects Versions: Trunk, 16.11.03
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
>Priority: Major
> Fix For: 17.12.01
>
> Attachments: OFBIZ-9537.patch, OFBIZ-9537.patch
>
>
> In case of request redirect ContextFilter override the redirect parameter
> Like if you use following pattern
> {code}
>
>
>
>
>
>
>
>
> {code}
> In this case service creates new workEffort and put the newly created
> workEffortId in requestAttribute,
> but in response we are redirecting parentWorkEffortId as workEffortId,
> so in this case context filter override the workEffortId that passed as
> redirect parameter, and replace it with newly created workEffortId.
> This is due to restoring all the redirected parameter instead of default one.
> Need to restore only success/error message so redirected page can display
> previous request's error msg etc.
> This is handled in RequestHandler.java.
> As in case of request redirect we pass the redirect parameter name so instead
> of restoring all the previous redirected parameter restore only error/success
> message related parameter.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Reopened] (OFBIZ-9997) Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam
[ https://issues.apache.org/jira/browse/OFBIZ-9997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reopened OFBIZ-9997: Reopen after OFBIZ-11009 > Replace request-redirect w/ no redirect-param attribute by > request-redirect-noparam > --- > > Key: OFBIZ-9997 > URL: https://issues.apache.org/jira/browse/OFBIZ-9997 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Trivial > Fix For: 17.12.01 > > > This follows the discussion at http://markmail.org/message/sbfdlhntdzziqeyz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-11009: --- Assignee: Jacques Le Roux > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Assignee: Jacques Le Roux >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-11009: --- Assignee: (was: Jacques Le Roux) > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836483#comment-16836483 ] Jacques Le Roux commented on OFBIZ-11009: - Hi Ingo, I can't reproduce using either https://localhost:8443/accounting/control/listInvoiceItems?invoiceId=demo10001 https://demo-trunk.ofbiz.apache.org/accounting/control/listInvoiceItems?invoiceId=demo10001 https://demo-stable.ofbiz.apache.org/accounting/control/listInvoiceItems?invoiceId=demo10001 Please confirm and close or give more details about your issue, thanks > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Assignee: Jacques Le Roux >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836607#comment-16836607 ] Ingo Wolfmayr commented on OFBIZ-11009: --- Hi Jacques, go to [https://demo-trunk.ofbiz.apache.org/accounting/control/listInvoiceItems?invoiceId=demo10001] Click on "update" below the existing items. You will then be redirect to [https://demo-trunk.ofbiz.apache.org/accounting/control/listInvoiceItems|https://demo-trunk.ofbiz.apache.org/accounting/control/listInvoiceItems?invoiceId=demo10001] (without invoiceId). You will not see the invoice items as the context to the invoice is gone. > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11016) Setting 'Payment (net days)' term does not update 'due date' of invoice
[ https://issues.apache.org/jira/browse/OFBIZ-11016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11016: - Attachment: Screen Shot 2019-05-09 at 10.10.31.png > Setting 'Payment (net days)' term does not update 'due date' of invoice > > > Key: OFBIZ-11016 > URL: https://issues.apache.org/jira/browse/OFBIZ-11016 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Priority: Major > Labels: Payable, invoice, payments, receivable > Attachments: Screen Shot 2019-05-09 at 10.10.31.png, Screen Shot > 2019-05-09 at 10.10.55.png > > > When setting the 'Payment (net days) ' terms, and setting the number of days, > the due date of the invoice does not get updated. > As a result the overviews for Accounts Payable and Accounts Receivable show > incorrect results. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11016) Setting 'Payment (net days)' term does not update 'due date' of invoice
[ https://issues.apache.org/jira/browse/OFBIZ-11016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11016: - Attachment: Screen Shot 2019-05-09 at 10.10.55.png > Setting 'Payment (net days)' term does not update 'due date' of invoice > > > Key: OFBIZ-11016 > URL: https://issues.apache.org/jira/browse/OFBIZ-11016 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Release > Branch 18.12 >Reporter: Pierre Smits >Priority: Major > Labels: Payable, invoice, payments, receivable > Attachments: Screen Shot 2019-05-09 at 10.10.31.png, Screen Shot > 2019-05-09 at 10.10.55.png > > > When setting the 'Payment (net days) ' terms, and setting the number of days, > the due date of the invoice does not get updated. > As a result the overviews for Accounts Payable and Accounts Receivable show > incorrect results. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836222#comment-16836222 ] Jacques Le Roux commented on OFBIZ-10054: - At r1858977 I had to add bq. compile 'org.apache.commons:commons-lang3:3.9' in build.gradle of R16, not in others, not sure why. > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836229#comment-16836229
]
Jacques Le Roux commented on OFBIZ-10187:
-
By default we now use a permissive sanitizer policy, I updated/fixed
owasp.properties in
trunk r1858980
R18 r1858981
R17 r1858982
R16 r1858983
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836215#comment-16836215
]
Jacques Le Roux commented on OFBIZ-10187:
-
Thanks Mathieu,
I backported r1858933 in R16 at r1858978b to ease further possible backports
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836270#comment-16836270
]
Jacques Le Roux commented on OFBIZ-10187:
-
Hi [~mbrohl], [~Dennis Balkir],
While working on OFBIZ-10054, I noticed that I think you somehow "translated"
an [antisamy xml example inspired by
eBay|https://github.com/andresriancho/owaspantisamy/blob/master/Java/antisamy-smoketest/src/main/webapp/WEB-INF/policies/antisamy-ebay.xml]
to create CustomPermissivePolicy.java. Is that right?
If yes, I believe you did so because the AntiSamy API has not been updated
since 2013. Is that right too? I ask that because I believe it would be
interesting to translate also [the safer policy inspired by
Slashdot|https://github.com/andresriancho/owaspantisamy/blob/master/Java/antisamy-smoketest/src/main/webapp/WEB-INF/policies/antisamy-slashdot.xml]
and I'd like to know your experience, thanks.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836262#comment-16836262 ] Jacques Le Roux commented on OFBIZ-10054: - About my comment above bq. I should note here though that currently the AntiSamy API is not used in OFBiz. This is something that still need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for them to adapt from XML to Java... Before asking them I remembered that the AntiSamy API has not been updated since 2013, so should be considered as somehow deprecated (it's a century in term of security). > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836265#comment-16836265 ] Jacques Le Roux commented on OFBIZ-10054: - About my comment above bq. I should note here though that currently the AntiSamy API is not used in OFBiz. This is something that still need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for them to adapt from XML to Java... Before asking them I remembered that the AntiSamy API has not been updated since 2013, so should be considered as somehow deprecated (it's a century in term of security). > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
[
https://issues.apache.org/jira/browse/OFBIZ-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836324#comment-16836324
]
Pawan Verma commented on OFBIZ-11010:
-
After adding missing data for POS_SALES_CHANNEL fix this issue. Which was
removed in r1754402. Attaching patch for the same.
> Touch F8 in webpos does not work and generate an error
> --
>
> Key: OFBIZ-11010
> URL: https://issues.apache.org/jira/browse/OFBIZ-11010
> Project: OFBiz
> Issue Type: Bug
> Components: webpos
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Pawan Verma
>Priority: Major
> Attachments: OFBIZ-11010.patch
>
>
> While working on OFBIZ-9153 I could not reproduce the same error either in
> R16 or trunk but got:
> {noformat}
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
> |E| Failure in create operation for entity [OrderHeader]:
> org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
> [GenericEntity:OrderHeader][agr
> eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
> 12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
> te,2019-04-30
> 12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
> java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
>
> 12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
> etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
> ng)] (SQL Exception while executing the following:INSERT INTO
> OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
> SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
> PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
> EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
> BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
> AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
> NEEDS_INVENTORY_ISSUANCE, IS_R
> USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
> INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP,
> CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
> caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
> (POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
> transaction.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
> |I| Transaction rollback only not set, rollback only is already set.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
> |E| Cannot create OrderHeader entity; problems with insert
> {noformat}
> After selecting
> # GZ-1005 '.NIT Gizmo ',
> # paying cash using the F3 button (also there it's does not work very well if
> you don't put the right amount from start, but that's another hair of the yak)
> # checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
[
https://issues.apache.org/jira/browse/OFBIZ-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pawan Verma updated OFBIZ-11010:
Attachment: OFBIZ-11010.patch
> Touch F8 in webpos does not work and generate an error
> --
>
> Key: OFBIZ-11010
> URL: https://issues.apache.org/jira/browse/OFBIZ-11010
> Project: OFBiz
> Issue Type: Bug
> Components: webpos
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Pawan Verma
>Priority: Major
> Attachments: OFBIZ-11010.patch
>
>
> While working on OFBIZ-9153 I could not reproduce the same error either in
> R16 or trunk but got:
> {noformat}
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
> |E| Failure in create operation for entity [OrderHeader]:
> org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
> [GenericEntity:OrderHeader][agr
> eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
> 12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
> te,2019-04-30
> 12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
> java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
>
> 12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
> etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
> ng)] (SQL Exception while executing the following:INSERT INTO
> OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
> SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
> PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
> EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
> BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
> AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
> NEEDS_INVENTORY_ISSUANCE, IS_R
> USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
> INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP,
> CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
> caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
> (POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
> transaction.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
> |I| Transaction rollback only not set, rollback only is already set.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
> |E| Cannot create OrderHeader entity; problems with insert
> {noformat}
> After selecting
> # GZ-1005 '.NIT Gizmo ',
> # paying cash using the F3 button (also there it's does not work very well if
> you don't put the right amount from start, but that's another hair of the yak)
> # checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10757) Upgrade OFBiz to use Java JDK Version 11
[ https://issues.apache.org/jira/browse/OFBIZ-10757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836187#comment-16836187 ] Jacques Le Roux commented on OFBIZ-10757: - I think we can now close here, right? We know there are warnings but that's should not prevent to close, agreed? > Upgrade OFBiz to use Java JDK Version 11 > > > Key: OFBIZ-10757 > URL: https://issues.apache.org/jira/browse/OFBIZ-10757 > Project: OFBiz > Issue Type: Improvement >Reporter: Taher Alkhateeb >Priority: Minor > Attachments: OFBIZ-10757-framework.patch, > OFBIZ-10757-framework.patch, OFBIZ-10757-framework.patch, > OFBIZ-10757-framework.patch, OFBIZ-10757-plugins.patch, > OFBIZ-10757-plugins.patch > > > To implement as per [Discussion > Thread|https://lists.apache.org/thread.html/71b8c1048f1dd4c5b3f104233c9af7b2cbc690863fe35b08ef91fcf5@%3Cdev.ofbiz.apache.org%3E] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11016) Setting 'Payment (net days)' term does not update 'due date' of invoice
Pierre Smits created OFBIZ-11016: Summary: Setting 'Payment (net days)' term does not update 'due date' of invoice Key: OFBIZ-11016 URL: https://issues.apache.org/jira/browse/OFBIZ-11016 Project: OFBiz Issue Type: Bug Components: accounting Affects Versions: Release Branch 16.11, Release Branch 15.12, Trunk, Release Branch 14.12, Release Branch 13.07, Release Branch 17.12, Release Branch 18.12 Reporter: Pierre Smits When setting the 'Payment (net days) ' terms, and setting the number of days, the due date of the invoice does not get updated. As a result the overviews for Accounts Payable and Accounts Receivable show incorrect results. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-10933) Insertion order of ‘LinkedHashMap’ is not preserved by ‘MapContext’
[ https://issues.apache.org/jira/browse/OFBIZ-10933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-10933. --- Thanks Mathieu, I backported in R18 at r1858483, closing > Insertion order of ‘LinkedHashMap’ is not preserved by ‘MapContext’ > --- > > Key: OFBIZ-10933 > URL: https://issues.apache.org/jira/browse/OFBIZ-10933 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 18.12 >Reporter: Mathieu Lirzin >Assignee: Mathieu Lirzin >Priority: Major > Fix For: Trunk, Release Branch 18.12 > > Attachments: > OFBIZ-10933_0001-Improved-Add-UtilMisc-toMap-Supplier-Map-K-V-Object.patch, > OFBIZ-10933_0002-Fixed-Ensure-that-MapContext-preserves-insertion-ord.patch > > > Since revision 1837462, when pushing a ‘LinkedHashMap’ inside a ‘MapContext’, > the iteration order of the ‘MapContext’ values is not corresponding to the > insertion order of the embedded ‘LinkedHashMap’ which is important in the > ‘ControllerConfig’ case where configuration elements are stored in > ‘LinkedHashMap’ objects and the ‘include’ mechanism relies on ‘MapContext’. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
[
https://issues.apache.org/jira/browse/OFBIZ-11010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux reassigned OFBIZ-11010:
---
Assignee: Jacques Le Roux (was: Pawan Verma)
> Touch F8 in webpos does not work and generate an error
> --
>
> Key: OFBIZ-11010
> URL: https://issues.apache.org/jira/browse/OFBIZ-11010
> Project: OFBiz
> Issue Type: Bug
> Components: webpos
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Attachments: OFBIZ-11010.patch
>
>
> While working on OFBIZ-9153 I could not reproduce the same error either in
> R16 or trunk but got:
> {noformat}
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
> |E| Failure in create operation for entity [OrderHeader]:
> org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
> [GenericEntity:OrderHeader][agr
> eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
> 12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
> te,2019-04-30
> 12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
> 12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
> java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
>
> 12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
> etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
> ng)] (SQL Exception while executing the following:INSERT INTO
> OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
> SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
> PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
> EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
> BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
> AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
> NEEDS_INVENTORY_ISSUANCE, IS_R
> USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
> INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP,
> CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
> caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
> (POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
> transaction.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
> |I| Transaction rollback only not set, rollback only is already set.
> 2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
> |E| Cannot create OrderHeader entity; problems with insert
> {noformat}
> After selecting
> # GZ-1005 '.NIT Gizmo ',
> # paying cash using the F3 button (also there it's does not work very well if
> you don't put the right amount from start, but that's another hair of the yak)
> # checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836109#comment-16836109
]
Jacques Le Roux commented on OFBIZ-10187:
-
As I needed the fix for OFBIZ-10054, I backported it using
[^OFBIZ-10187_Sanitizer_16.11.patch] in
R16 r1858968
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Closed] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-10187.
---
Resolution: Fixed
Fix Version/s: 16.11.06
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16836110#comment-16836110 ] Jacques Le Roux commented on OFBIZ-10054: - Actually there are 2 ways used in OFBiz: # To prevent saving stored XSS scriptings in DB we reject them before. This is achieved with UtilCodec.checkStringForHtmlStrictNone(). [Most of the possible XSS attacks rely on the less-than (<) and greater-than (>) symbols|https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet]. But as shown with the current issue [there are other types of possibles attacks|https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers]. # Filter HTML texts and remove the unwanted parts. This is done using policies with HtmlEncoder::sanitize. The default policy is not much permissive. Since OFBIZ-10187 it's easier to create own more permissive policies. An [example inspired by eBay is available OOTB.|https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file]. To be safer a [policy inspired by Slashdot|https://github.com/andresriancho/owaspantisamy/blob/master/Java/antisamy-smoketest/src/main/webapp/WEB-INF/policies/antisamy-slashdot.xml] could be used. Anyway it's up to you... I should note here though that currently the AntiSamy API is not used in OFBiz. This is something that still need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for them to adapt from XML to Java... These 2 ways (reject or filter) are somehow discussed here: [https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md] Anyway, my proposition of using HtmlEncoder::sanitize inside UtilCodec.checkStringForHtmlStrictNone() was wrong. Because they don't achieve the same goal. One rejects, the other modifies, with the hope to make the result safer (can't be 100% guaranteed). Greg's solution don't work either for the same reason. With UtilCodec.checkStringForHtmlStrictNone(), we need to reject not change. I have committed a solution which rejects any js event in: trunk r1858965 R18 r1858966 R17 r1858967 R16 r1858969 According to https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet there are 2 other types of cases which are not covered by rejecting less-than (<) and greater-than (>) symbols: # [US-ASCII_encoding|https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding] # Flash As I commented in code for: # All our Tomcat connectors use UTF-8, so not a problem # We don't care about Flash now rather deprecated in last versions of major browsers. And actually we don't use Flash OOTB at all > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Improvement > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-10054. --- Resolution: Fixed Fix Version/s: 18.12.01 16.11.06 17.12.01 > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Improvement > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[ https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10054: Issue Type: Bug (was: Improvement) > Product content management screen doesn't validate trusted users' input > --- > > Key: OFBIZ-10054 > URL: https://issues.apache.org/jira/browse/OFBIZ-10054 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Jacopo Cappellato >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > > Steps to recreate: > 1) go to (authenticate with admin/ofbiz): > https://localhost:8443/catalog/control/EditProductContent?productId=WG- > 2) set the content of the field labeled "Large Image" to: > non_existent.foo onerror=alert(Hi!); > 3) visit the url: > https://localhost:8443/ecommerce/control/product?product_id=WG- > A popup message will appear with the "Hi!". > Thanks to Loris Nardo for the report. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
